From 2a01431de5205f980c76c061e07337b21205e0d3 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Dec 21 2011 13:52:49 +0000
Subject: - sssd needs sys_admin capability


---

diff --git a/policy-F16.patch b/policy-F16.patch
index 0ae075c..72c2443 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -14740,7 +14740,7 @@ index 6cf8784..fa24001 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..39b1056 100644
+index f820f3b..d29862e 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15418,7 +15418,7 @@ index f820f3b..39b1056 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4784,3 +5150,812 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5150,822 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -16147,6 +16147,16 @@ index f820f3b..39b1056 100644
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
++	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
@@ -16232,10 +16242,18 @@ index f820f3b..39b1056 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 08f01e7..1c2562c 100644
+index 08f01e7..4fba365 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
-@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
+@@ -20,6 +20,7 @@ files_mountpoint(device_t)
+ files_associate_tmp(device_t)
+ fs_type(device_t)
+ fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
++dev_node(device_t)
+ 
+ #
+ # Type for /dev/agpgart
+@@ -108,6 +109,7 @@ dev_node(ksm_device_t)
  #
  type kvm_device_t;
  dev_node(kvm_device_t)
@@ -16243,7 +16261,7 @@ index 08f01e7..1c2562c 100644
  
  #
  # Type for /dev/lirc
-@@ -118,6 +119,12 @@ dev_node(lirc_device_t)
+@@ -118,6 +120,12 @@ dev_node(lirc_device_t)
  #
  # Type for /dev/mapper/control
  #
@@ -16256,7 +16274,7 @@ index 08f01e7..1c2562c 100644
  type lvm_control_t;
  dev_node(lvm_control_t)
  
-@@ -265,6 +272,7 @@ dev_node(v4l_device_t)
+@@ -265,6 +273,7 @@ dev_node(v4l_device_t)
  #
  type vhost_device_t;
  dev_node(vhost_device_t)
@@ -16264,7 +16282,7 @@ index 08f01e7..1c2562c 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -310,5 +318,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +319,5 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -19366,7 +19384,7 @@ index f125dc2..f5e522e 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..8c500cd 100644
+index 6346378..7a317b8 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@@ -19383,7 +19401,32 @@ index 6346378..8c500cd 100644
  ')
  
  ########################################
-@@ -2072,7 +2067,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -1464,6 +1459,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+ 
+ ########################################
+ ## <summary>
++##	Allow attempts to read all proc types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_read_all_proc',`
++	gen_require(`
++		attribute proc_type;
++	')
++
++	read_files_pattern($1, proc_type, proc_type)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts by caller to search
+ ##	the base directory of sysctls.
+ ## </summary>
+@@ -2072,7 +2085,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -19392,7 +19435,7 @@ index 6346378..8c500cd 100644
  ')
  
  ########################################
-@@ -2293,7 +2288,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2293,7 +2306,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19401,7 +19444,7 @@ index 6346378..8c500cd 100644
  ##	</summary>
  ## </param>
  #
-@@ -2475,6 +2470,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2475,6 +2488,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
@@ -19426,7 +19469,7 @@ index 6346378..8c500cd 100644
  ##	Do not audit attempts by caller to get attributes for
  ##	unlabeled character devices.
  ## </summary>
-@@ -2619,7 +2632,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2619,7 +2650,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
  	allow $1 unlabeled_t:association { sendto recvfrom };
  
  	# temporary hack until labeling on packets is supported
@@ -19435,7 +19478,7 @@ index 6346378..8c500cd 100644
  ')
  
  ########################################
-@@ -2657,6 +2670,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2657,6 +2688,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -19460,7 +19503,7 @@ index 6346378..8c500cd 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2684,6 +2715,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2684,6 +2733,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -19486,7 +19529,7 @@ index 6346378..8c500cd 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2793,6 +2843,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2793,6 +2861,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -19520,7 +19563,7 @@ index 6346378..8c500cd 100644
  
  ########################################
  ## <summary>
-@@ -2948,6 +3025,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2948,6 +3043,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -19545,7 +19588,7 @@ index 6346378..8c500cd 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2962,4 +3057,25 @@ interface(`kernel_unconfined',`
+@@ -2962,4 +3075,25 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -27814,10 +27857,10 @@ index 0000000..fa9b95a
 +')
 diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
 new file mode 100644
-index 0000000..1441c62
+index 0000000..0bb9297
 --- /dev/null
 +++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,171 @@
 +policy_module(boinc, 1.0.0)
 +
 +########################################
@@ -27870,6 +27913,7 @@ index 0000000..1441c62
 +dev_read_rand(boinc_domain)
 +dev_read_urand(boinc_domain)
 +dev_read_sysfs(boinc_domain)
++dev_rw_xserver_misc(boinc_domain)
 +
 +domain_read_all_domains_state(boinc_domain)
 +
@@ -27983,8 +28027,6 @@ index 0000000..1441c62
 +
 +corenet_tcp_connect_boinc_port(boinc_project_t)
 +
-+dev_rw_xserver_misc(boinc_project_t)
-+
 +files_dontaudit_search_home(boinc_project_t)
 +
 +optional_policy(`
@@ -58380,7 +58422,7 @@ index 275f9fb..2a0e198 100644
  
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
 diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..9509742 100644
+index 3d8d1b3..e666122 100644
 --- a/policy/modules/services/snmp.te
 +++ b/policy/modules/services/snmp.te
 @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -58407,7 +58449,7 @@ index 3d8d1b3..9509742 100644
  allow snmpd_t self:tcp_socket create_stream_socket_perms;
  allow snmpd_t self:udp_socket connected_stream_socket_perms;
  
-@@ -41,10 +43,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,18 +43,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
  manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
  files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
  files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@@ -58421,7 +58463,16 @@ index 3d8d1b3..9509742 100644
  
  kernel_read_device_sysctls(snmpd_t)
  kernel_read_kernel_sysctls(snmpd_t)
-@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
+ kernel_read_fs_sysctls(snmpd_t)
+ kernel_read_net_sysctls(snmpd_t)
+ kernel_read_proc_symlinks(snmpd_t)
+-kernel_read_system_state(snmpd_t)
+-kernel_read_network_state(snmpd_t)
++kernel_read_all_proc(snmpd_t)
+ 
+ corecmd_exec_bin(snmpd_t)
+ corecmd_exec_shell(snmpd_t)
+@@ -94,15 +96,19 @@ files_search_home(snmpd_t)
  fs_getattr_all_dirs(snmpd_t)
  fs_getattr_all_fs(snmpd_t)
  fs_search_auto_mountpoints(snmpd_t)
@@ -58442,7 +58493,7 @@ index 3d8d1b3..9509742 100644
  
  logging_send_syslog_msg(snmpd_t)
  
-@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
  userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
  userdom_dontaudit_search_user_home_dirs(snmpd_t)
  
@@ -60466,7 +60517,7 @@ index 941380a..ce8c972 100644
  	# Allow sssd_t to restart the apache service
  	sssd_initrc_domtrans($1)
 diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..5c32a99 100644
+index 8ffa257..b231b96 100644
 --- a/policy/modules/services/sssd.te
 +++ b/policy/modules/services/sssd.te
 @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -60483,7 +60534,7 @@ index 8ffa257..5c32a99 100644
  #
 -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
 +
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
  allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
 -allow sssd_t self:fifo_file rw_file_perms;
 +allow sssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e6f1750..47469f0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 67%{?dist}
+Release: 68%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Dec 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-68
+- sssd needs sys_admin capability
+
 * Thu Dec 15 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-67
 - Add httpd_can_connect_ldap() interface
 - NetworkManager needs to write to /sys/class/net/ib*/mode